Technology advances at a supersonic speed. This advancement has led to the generation, collection, processing, and transfer of gargantuan amount of data at an exponential rate. According to Forbes, by the year 2020, the accumulated digital universe of data would be around 44 zettabytes of data or 44 trillion gigabytes.
This exponential growth of data has raised a number of concerns including, but not limited to, cyberattack, hacking, cyberbullying, doxxing, phishing, identity theft, among other things. In its 2018 Global Risks Report, the World Economic Forum ranks the top 10 risks in the likelihood of their happenstance. Cyberattack ranks third while data fraud or theft ranks fourth. In terms of impact, cyberattack rank sixth.
In recent times, massive data breaches have diminished public confidence in major players in the tech world. The one that easily comes to mind is the harvest of personal information of more than 80 million Facebook users by Cambridge Analytica. The possibility of abuse, misappropriation and breach of personal data has led to the promulgation of laws and regulations geared towards the protection of personal data/information.
On 25 January 2019, the Nigerian National Information Technology Development Agency (NITDA) issued the Nigerian Data Protection Regulation (the 2019 Regulation). The Regulation applies to all residents of Nigeria, all citizens of Nigeria residing outside of Nigeria and all transactions for the processing of personal data of such individuals.For the sake of clarity, personal data refers to any information relating to an identified or identifiable person and it includes names, photo, identification number, address, email address, bank account details, any physiological or genetic feature, posts on any social media networking websites, among other things.
The regulation applies to all categories of personal information across all sectors and provides basic rights and protections to data subjects. It requires that organisations obtain consent before collecting personal information, disclose how the information is to be used, provide how consumers may request the deletion of their information.
By the provisions of the 2019 Regulations, organisations and persons involved in collection, storage and processing shall develop such security measures necessary to minimise the security risks of keeping personal information.Such measures include and are not limited to, protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
Personal information must be secured against all foreseeable hazards and breaches such as theft,cyber-attack, viral attack,dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
Where an organisation is subcontracting its data security/processing obligations to another party, it must be governed by a written contract between the third party and the organisation, which shall ensure strict compliance with the Regulation.
a. The description of the personal information being collected;
b. the purpose of collection of the information;
c. the technical methods used to collect and store information, cookies, web tokens, etc;
d. access, if any, of third parties to personal information and the purpose of access;
• Identify the applicable law. Each legal system imposes different guidelines to regulate the collection and processing of personal information. The first step, therefore, is to identify the relevant laws which will apply to your website or other media of collection of information.
• Dispute resolution. A clause setting out the dispute resolution process is needed, should the need arise.